[libvirt] [PATCH 2/3] Docs for usage of new command APIs

Daniel P. Berrange berrange at redhat.com
Wed May 26 14:54:19 UTC 2010 

On Tue, May 25, 2010 at 03:14:18PM -0600, Eric Blake wrote:
> On 05/25/2010 07:24 AM, Daniel P. Berrange wrote:
> > ---
> >  docs/Makefile.am       |   12 ++++++++++--
> >  docs/internals.html.in |    9 +++++++++
> >  docs/sitemap.html.in   |    4 ++++
> >  3 files changed, 23 insertions(+), 2 deletions(-)
> > 
> > +++ b/docs/Makefile.am
> > @@ -53,7 +53,7 @@ gif = \
> >    architecture.gif \
> >    node.gif
> >  
> > -dot_html_in = $(wildcard *.html.in)
> > +dot_html_in = $(wildcard *.html.in) $(wildcard internals/*.html.in)
> >  dot_html = $(dot_html_in:%.html.in=%.html)
> 
> Note to myself: If I ever get time to revisit my VPATH patches, I've got
> a merge conflict in this area.
> 
> Jim already pointed out the new file omission, but given your first
> message had the text-ified version, here's some spelling fixes:
> 
> >                Spawning processes / commands from libvirt drivers
> > 
> >    This page describes the usage of libvirt APIs for spawning processes /
> >    commands from libvirt drivers. All code is required to use these APIs
> > 
> > Problems with standard POSIX APIs
> > 
> >    The POSIX specification includes a number of APIs for spawning processes /
> >    commands, but they suffer from a number of flaws
> > 
> >      * fork+exec: The lowest & most flexible level, but very hard to use
> >        correctly / safely. It is easy to leak file descriptors, have
> >        unexpected signal handler behaviour and not handle edge cases
> 
> Also, not portable to mingw.
> 
> >      * system: Convenient if you don't care about capturing command output,
> >        but has the serious downside that the command string is interpreted by
> >        the shell. This makes it very dangerous to use, because improperly
> >        validated user input can lead to exploits via shell meta characters.
> 
> * popen: Similar problems to system; also has issues affecting signal
> handling related to other child processes.
> 
> >      * posix_spawn: A half-way house between simplicity of system() and the
> >        flexibility of fork+exec. It does not allow for a couple of important
> >        features though, such as running a hook between the fork+exec stage,
> >        or closing all open file descriptors.
> > 
> >    Due to the problems mentioned with each of these, libvirt driver code must
> >    not use any of the above APIs. Historically libvirt provided a higher
> >    level API known as virExec. This was wrapper around fork+exec, in a
> >    similar style to posix_spawn, but with a few more features.
> 
> I didn't see anything in patch 1/3 that deprecated virExec in the public
> headers.  Is it worth adding conditional deprecation (guarded by a macro
> defined only in command.c), to make sure it is not called anywhere
> except in the command.c implementation?

The full series will eventually make virExec static, so nothing can
call it.


Daniel
-- 
|: Red Hat, Engineering, London    -o-   http://people.redhat.com/berrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://deltacloud.org :|
|: http://autobuild.org        -o-         http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505  -o-   F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|

More information about the libvir-list mailing list